(apologize for possible double post) Can you share the details of how you managed to this with FreeIPA (even if it includes kadmin.local work)? Many thanks!
On 5/18/16 6:03 PM, Coy Hile wrote: > When I've done this in the past, I used mit directly, not IPA. I set up a one > way trust, then used "shadow objects" for users mapped using > alternateSecurityID. I've setup the same one way trust testing with freeipa, > but unfortunately I had to use kadmin.local to do it. I don't know that > that's actually supported. Simo? > > -c > > Sent from my iPad > >> On May 18, 2016, at 17:19, John Meyers <john+free...@themeyers.us> wrote: >> >> All, >> >> FreeIPA as we've discovered has some wonderful Windows integration >> capability, but it is all predicated on Windows AD being the >> authoritative source of user information. 2-Way trusts are great, but >> they only work for kerberotized applications, not native Windows rights >> (that would require FreeIPA to act as global catalog as I learned from >> Alexander). The winsync capability does not, as it turns out, sync >> native IPA users to AD. >> >> The million dollar question is if you are 90% Linux shop and FreeIPA is >> your authoritative user repository (AD is a blank slate), how do you >> perform local Windows login authentication for the 10% of Windows >> machines against FreeIPA? >> >> Thank you all! >> >> John >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project